Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/06/2023, 22:45

General

  • Target

    Jsreceipt0193617_PDF.html

  • Size

    103B

  • MD5

    c349aed7796c6cf3784b423f7a348429

  • SHA1

    1f9f048f524a83ad569e0df65b709bc1de4f344f

  • SHA256

    07176693f0658bb82e3408ef1e85a545b039acf315749ce888dfce55252696cc

  • SHA512

    f505e8dfd29079f11b817204334e65a6c307e6bed8d5a04a7a95fef32bf4031040ef7830b7f039f596c904a489de2887d0903016204e1e78b9715126ccb1e455

Malware Config

Extracted

Family

vjw0rm

C2

http://jsnew9400.duckdns.org:9400

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Jsreceipt0193617_PDF.html
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2116
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4760
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Jsreceipt0193617_pdf.zip\Jsreceipt0193617_pdf.js"
      1⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      4b958c078984d97dc80efb7b9c9db5d9

      SHA1

      e36452e7ea54d63035d7a8d81d13ea506fc8357f

      SHA256

      0b69c52b5e2faba2e0b7d6e67a7693e333d0aea0dbb80cb95764fd50b9a0e799

      SHA512

      75fbbc35d97c0d0513324ee27395c74d70e2b2a3dcdd0c03e4014b0b0307c9e7742c49a165677cee79563f4efbe56c94bbaea2c7867d3401cbe1fabab7df9c91

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      404B

      MD5

      cbc113b9420f3adf1dfff952ce89268a

      SHA1

      e73e42c10cdfc0ca97f293e6da8382ccec5d8b95

      SHA256

      07c6a299470f1359e6f5fc545955328a938c69e06580ba3a3079b7faf509cf3f

      SHA512

      316517d3ea3c246421c3aaacef1da66d943598452fcc3f9b00609c182bd63f0351cb03ee1eafecfbf2dd25a18442b1105a754ec55f566fe65ccbc14d62df33b2

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KNTZ9GX2\Jsreceipt0193617_pdf.zip.5khy18z.partial

      Filesize

      300KB

      MD5

      b3f848fe0250349da6b62939ac0b848e

      SHA1

      9b15a7ca6b7832c48f028de394bfd0c796bc560a

      SHA256

      a174433a80690c315a52012c68ca86c3b03683ff6fd8420a261146d747ba93fb

      SHA512

      c5e46ca54d198a6287769078130b266d21c72efb7a1ca8c9d69ed1be8613619c6e5cc1436665151b1ad86a5533bbd7546060728de4393b783066302cc41717cd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XGKDZR89\Jsreceipt0193617_pdf[1].zip

      Filesize

      300KB

      MD5

      b3f848fe0250349da6b62939ac0b848e

      SHA1

      9b15a7ca6b7832c48f028de394bfd0c796bc560a

      SHA256

      a174433a80690c315a52012c68ca86c3b03683ff6fd8420a261146d747ba93fb

      SHA512

      c5e46ca54d198a6287769078130b266d21c72efb7a1ca8c9d69ed1be8613619c6e5cc1436665151b1ad86a5533bbd7546060728de4393b783066302cc41717cd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XGKDZR89\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\62VHVC1L.cookie

      Filesize

      608B

      MD5

      720e72acd6b76dc2351d02f51109e637

      SHA1

      ced7e01ff20d7d3a523854a7dff71f2d33f9d0f1

      SHA256

      31e48c1b155330b170d99cf5d083a3cde07bf473f125be651a38cf218107ac1b

      SHA512

      3c9b44cb521eeb4ab96111200d9be6398ce9b31ce1f29838bef9fe7bba71df0b2c16419e412bd9f9e3c2f7ecc7e118f0791d3f03c640c70e8aed9424580c96d5

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\S9ECIX6B.cookie

      Filesize

      609B

      MD5

      93516833b3cbaab82e8ff82b3d6e2be9

      SHA1

      cdcdd6355b5b981c0f81db38b62e68bbd59c5a7c

      SHA256

      5d1898aab83d148a1ae580939920e4c63c47a28e8bf91fb6acbdfc4e8e2928b2

      SHA512

      10d976c732773234d585bd3cc67f0d4ddbb4a019d3aa486bffc50d186c0543992e906a6681b5f881918d6beead16b94cedae44714ac8c8fe08bdd2d65daa05fa